USB drive-by HID attack – part 1 introduction

This series of posts is about keystroke injection tools disguised as generic USB memory sticks and in particular, the BadUSB Beetle, which cost under £10 and is based on an Arduino Leonardo chip.

They can be used to create easily repeatable demonstrations that illustrate why basic security precautions are so important. For example, they can be programmed to grab stored Wi-Fi credentials and send them to a Google email account within seconds of being plugged in. These demonstrations aim to be real-world examples (i.e. with AV and firewalls running on an up to date Windows 10 PC) and show how an attacker or pen tester might exploit a vulnerability or lapse in security.

They can be programmed to make a number of separate attacks and can demonstrate how a seemingly small difference in configuration can have a big impact on the attacker’s ability to grab credentials. For example, having two target user account – one with local admin privilege and the other as a standard user.

There are other more powerful or easy to use devices, but the BadUSB Beetle is cheap, easily obtainable and still relatively each to use, so make an ideal starting point.

Background
There are a whole range of USB or ‘USB drive-by’ style attacks and associated tools.

Perhaps the most famous keystroke injection tool is the HAK5’ USB Rubber Ducky, which was featured on the Mr Robot TV show (HAK5 demo YouTube https://www.youtube.com/watch?v=4kX90HzA0FM).

There is a fairly extensive library of published HAK5 scripts, as well as a number of different open source options for firmware.

There are a range of similar keystroke injection tools and even tutorials to let you build your own device from scratch. Typically, they are based on a very small low-cost CPU, which can be programmed to act like a keyboard when plugged into the target machine.

The features vary. They may have removable storage, such as Micro SD cards, that can be used to store the programmed attacks and act as a normal USB memory device to easily store any stolen data. Some, such as the WHID Cactus, allows keystrokes to be sent via WiFi to a target machine, which gives you more flexibility.

The BadUSB Beetle is based on an Arduino Leonardo chip and is one of the most basic.

Using the BadUSB Beetle
Helpfully there are free tools that can convert published HAK5 ducky scripts so that they can run on the BadUSB, such as the following:

https://roothaxor.gitlab.io/ducky2arduino_stable/

The resulting Arduino Sketch can then be easily uploaded to the BadUSB with the official Arduino IDE software. The following YouTube walks you through the process:

https://www.youtube.com/watch?v=RdQyEYzbY_k

Keyboard mapping issues
It is important to note that the BadUsb Beetle does not directly transmit characters like “a”, “q”, “1”, but mimics “key presses” of a standard US keyboard. This means that if you are not using the standard US keyboard, you can sometimes get unexpected characters.

However, the keyboard mapping information used by the official Arduino IDE software is stored in the Keyboard.cpp file, which can be edited in WordPad. It is located in Arduino\libraries\Keyboard\src

To get a backslash character on a target with a UK keyboard search and replace 0x31 with 0x64 within the ‘const uint8_t _asciimap[128] =’ section.

Other keys can be remapped in a similar way if needed.

Basic script
Ducky script syntax is pretty simple. Commands are written in ALL CAPS and most invoke keystrokes, key-combos or strings of text, while some offer delays or pauses.

For example

REM The next three lines execute a command prompt in Windows
GUI r
STRING cmd
ENTER

A good source of further information about ducky script is:

https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Duckyscript

The following Arduino Sketch version is longer and has a different structure. The key commands are in bold.

#include <Keyboard.h>
/*
* Developer @root_haxor !
*/

// Init function
void setup()
{
// Begining the stream
Keyboard.begin();

// Waiting 500ms for init
delay(500);

// The next three lines execute a command prompt in Windows
Keyboard.press(KEY_LEFT_GUI);
Keyboard.press(114);
Keyboard.releaseAll();

Keyboard.print(“cmd”);

typeKey(KEY_RETURN);
}

void typeKey(int key)
{
Keyboard.press(key);
delay(50);
Keyboard.release(key);
}

// Unused
void loop() {}

Note how key combinations, such as ‘GUI’ and ‘r’ use Keyboard.press followed by Keyboard.releaseAll instead of the Keyboard.print command.